How to Get the Security Descriptor of a File in SDDL Format in Batch Script
The Security Descriptor Definition Language (SDDL) is a specialized string format that Windows uses to represent the security permissions (ACLs) of a file or folder in a single, compact line of text. While it looks like a cryptic jumble of letters and numbers (e.g., D:(A;;FA;;;BA)), it is the most precise way to backup, compare, or transport permissions across different systems.
In this guide, we will use the icacls command in a Batch script to extract the DACL portion of the security descriptor in SDDL format for any file or directory.
Extracting the DACL with ICACLS
The icacls utility has a /save switch that exports a file's DACL (Discretionary Access Control List) in SDDL format to a text file. While its primary purpose is to create a backup that can be restored with /restore, the exported SDDL string is also useful for analysis and documentation.
Basic Extraction Syntax
icacls "C:\Path\To\File" /save "OutputFile.txt"
Implementation Script
This script retrieves the DACL for a specific file and displays the SDDL string in the console window for quick analysis.
@echo off
setlocal EnableDelayedExpansion
set "targetFile=C:\Windows\System32\drivers\etc\hosts"
echo Extracting DACL in SDDL format for: %targetFile%
echo ----------------------------------------------------------------------
:: Get SDDL directly from icacls output
set "sddl="
for /f "tokens=2*" %%A in ('icacls "%targetFile%"') do (
set "sddl=%%B"
)
if defined sddl (
echo SDDL String:
echo !sddl!
) else (
echo.
echo [ERROR] Failed to extract SDDL. Ensure the file exists and access is permitted.
)
echo ----------------------------------------------------------------------
endlocal
pause
Anatomy of a DACL SDDL String
When you extract the DACL using icacls /save, you will see a string like D:P(A;CI;FA;;;BA). Here is a quick guide to reading its components:
- D: Marks the beginning of the DACL (Discretionary Access Control List).
- P Protected flag, indicating that inheritance from the parent is blocked.
- A Allow (the ACE type). A
Dhere would mean Deny. - CI Container Inherit (the permission flows down to subfolders).
- FA File All Access (Full Control).
- BA Built-in Administrators (the security principal being granted the permission).
Why Use SDDL in Your Scripts?
1. Permission Baselining
You can export the SDDL of a "perfectly configured" folder to a text file. Later, your script can re-extract the current SDDL and use FC (File Compare) to see if any permissions have drifted away from the baseline.
2. High-Speed Restoration
Restoring permissions from an SDDL file using icacls /restore is significantly faster and more reliable than running a hundred individual /grant commands in a loop.
3. Documentation
SDDL is the standard format for documenting security requirements for enterprise software deployments. If you are a developer, your Batch installation script can use SDDL to ensure the app folder is exactly as secure as the specifications require.
Comparison: ICACLS vs. PowerShell (Get-Acl).Sddl
While PowerShell can get the SDDL using a simple property call ((Get-Acl $path).Sddl), the icacls method in Batch is often preferred for two reasons:
- Compatibility:
icacls /saveoutput is formatted exactly as the/restoreswitch expects, making it easy to build backup and restore scripts for directory permissions. - Speed:
icaclsis a native binary and can be faster for bulk operations on large file servers.
Note that (Get-Acl).Sddl returns the complete security descriptor including the Owner, Group, DACL, and SACL, while icacls /save captures only the DACL. If you need the full security descriptor, PowerShell is the better choice.
Summary
The SDDL string is the "Source Code" of NTFS permissions. By using icacls /save in your Batch scripts, you can capture the DACL to document, verify, or duplicate access control configurations with absolute precision. While it may look undecipherable at first glance, its ability to represent a complete access control list in a single line of text makes it an invaluable tool for professional systems administration.